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FOREWORD 


This Indian Standard was adopted by the Bureau of Indian Standards, after the draft finalized by the Power 
System Control and Associated Communications Sectional Committee had been approved by the Electronics and 
Information Technology Division Council. 


Electricity or power sector in India is dealing with a number of complex and large issues including demand- 
supply imbalance, quality of power, financial viability and growth impediments. Indian power sector is growing 
at an enormous pace. Various grid expansion and interconnection projects are on-going to strengthen the existing 
transmission infrastructure to build a national grid. The need for interconnecting power networks is in turn 
driving the need for interconnection of information networks. It is imperative that the power systems today 
utilize the capabilities that modern information and communication technologies provide. 


With the increase of complexities in the system and usage, there is an increase in threat perception in the overall 
management of the grid as a whole. Due to use of modern technology including widespread use of communication 
technology in the management of national grid, there is a need to address the security threat coming from various 
sources. This standard has been formulated keeping in view all possible security threat coming on the way of 
efficient operation of modern grid system. 


The Bibliographic references are given in Annex A. 
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Indian Standard 


POWER CONTROL SYSTEMS — SECURITY 
REQUIREMENTS 


1 SCOPE 


This standard specifies requirements for identification 
and protection of critical assets for all entities involved 
in generation, transmission, distribution and trading 
of electric power. It covers the following: 


a) Critical asset identification and monitoring. 


b) Security management for personnel and 
assets. 


c) Electronic and physical security of assets. 

d) Incident reporting and response and recovery 
planning. 

e) Auditing and conformance procedures. 


2 REFERENCES 


The standards listed in Annex B contain provisions 
which, through reference in this text, constitute 
provisions of this standard. At the time of publication, 
the editions indicated were valid. All standards are 
subject to revision, and parties to agreements based on 
this standard are encouraged to investigate the 
possibility of applying the most recent editions of the 
standards listed in Annex B. 


3 TERMINOLOGY 


For the purpose of this standard the definitions given 
in IEC/TS 62351-2 and the following shall apply. 


3.1 Asset — Anything that has value to the organization. 


3.2 Critical Assets — The Facilities, systems and 
equipment which, if destroyed, degraded or otherwise 
rendered unavailable, would affect the reliability or 
operability of the Bulk Electric System. 


3.3 Critical Cyber Assets — cyber assets essential to 
the reliable operation of critical asset. 


3.4 Cyber Assets — The programmable electronic 
devices, including the hardware, software and data in 
those devices that are connected over a network, such 
as LAN, WAN and HAN. 


3.5 External threat — A threat originating outside a 
company, government agency, or institution. 


3.6 Internal Threat — A threat originating inside the 
organization. 


3.7 Policy — An Overall intention and direction as 
formally expressed by management. 


3.8 Robustness — The persistence of a system’s 
characteristic behaviour under perturbations or 
conditions of uncertainty. 


3.2 Abbreviations 


For the purpose of this standard the following 
abbreviations shall apply: 


Description Abbreviations 
Advanced Encryption Standard AES 
Alliance for Telecommunications 
Industry solutions ATIS 
Computer Emergency Response Team CERT 


Indian Computer Emergency Response CERT In 
Team 

Critical Infrastructure Protection CIP 

Distribution Company DISCOM 

International Electrotechnical IEC 
Commission 

International Electrotechnical Vocabulary ` IDN 

International Organization for ISO 
Standardization 

International Society of Automation ISA 

Manufacturing Message MMS 

North American Electric Reliability NERC 
Corporation 

National Institute of Standard And NIST 
Technology 

Request for Comment RFC 

Transmission Control Protocol TCP 

Transmission Control Protocol/ TCP/IP 


Internet Protocol 


4 Security Overview 


4.1 The management of power system infrastructure 
has become reliant on the information infrastructure 
as automation continues to replace manual operation, 
market forces demand more accurate and timely 
information, and the power system equipment ages. 
Therefore, the reliability of the power system is 
increasingly affected by any problems that the 
information infrastructure might suffer. As the power 
industry relies increasingly on information to operate 
the power system, two infrastructures now have to be 
managed: Power system infrastructure, and 
Information infrastructure. 


In the past, information for managing these 
infrastructures was only available to a select set of 
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people and these infrastructures were not a target for 
unauthorized access — either for gain or bravado. 
Security was achieved through obscurity for the most 
part. 


However, security by obscurity is no longer a valid 
concept. In particular, the electricity market is 
pressuring market participants to gain any edge they 
can. A tiny amount of information can turn a losing 
bid into a winning bid — or withholding that information 
from your competitor can make their winning bid into 
a losing bid and the desire to disrupt power system 
operations can stem from simple teenager bravado, to 
competitive game-playing in the electrical marketplace, 
to actual terrorism. It is not only the market forces that 
are making security crucial, the sheer complexity of 
operating a power system has increased over the years, 
making equipment failures and operational mistakes 
more likely and their impact greater in scope and cost. 
In addition, the older, obscure frameworks are being 
replaced by standardized, well-documented 
frameworks that are more susceptible to hackers and 
industrial spies. Additionally, integrated operation of 
power and information systems has increased security 
vulnerability. 


4.2 This has brought about a need of creating a security 
framework for all infrastructures. For new 
developments that are happening in each field, security 
is now considered as a basic and required feature 
instead of an add-on. 


Security entails a much larger scope than just the 
authentication of users and the encryption of 
communication. End-to-end security involves security 
policies, access control mechanisms, key management, 
audit logs, and other critical infrastructure protection 
issues. It also entails securing the information 
infrastructure itself. 


4.3 Security threats can be classified into inadvertent 
and advertent threats. They are further classified as 
follows: 


a) Inadvertent threats: 
1) Safety failures, 
2) Equipment failures, 
3) Carelessness, and 
4) Natural disasters. 

b) Deliberate threats: 
1) Disgruntled employee, 
2) Industrial espionage, 
3) Vandalism, 
4) Cyber hackers, 
5) Viruses and worms, 
6) Theft, and 
7) Terrorism. 


The key point is that the overall security of power 
system operations is threatened not only by deliberate 
acts of espionage or terrorism but by many other, 
sometimes deliberate, sometimes inadvertent threats 
that can ultimately have devastating consequences. 


4.4 The objective of the security is the preservation of 
the following : 


a) Confidentiality — Preventing the 
unauthorized access to information. 

b) Integrity — Preventing the unauthorized 
modification or theft of information. 


c) Availability — Preventing the denial of service 
and ensuring authorized access to 
information. 


d) Non-repudiation or accountability — 
Preventing the denial of an action that took 
place or the claim of an action that did not 
take place or the claim of the action that did 
not take place. 


4.5 The security requirements and possible threats or 
types of attacks are illustrated in the Fig. 1. 


Figure 2 describes the overall security management: 
security requirements, threats, countermeasures, and 
management. 


5 SECURITY STANDARD REQUIREMENTS 


Within the text of this standard, “ Responsible Entity’ 
shall mean: 


a) Transmission utilities, 
b) Load despatch centres, 


c) Generator operators and generator owners, 
and 


d) Distribution companies (DISCOMs). 


In this standard, the term years, when used to refer to 
periodicity, shall be interpreted as the financial 
reporting year that is followed by the responsible entity. 
When the standard refers to the term every year, it shall 
indicate once a year in every financial year with the 
condition that the duration between two events is not 
more than 12 months. 


The auditing and conformance requirements shall be 
in accordance with 6. 


NOTE — The violation severity levels are not currently 
incorporated in this standard. 


5.1 Critical Cyber Asset Identification 


Identification and documentation of the critical cyber 
assets associated with the critical assets that support 
the reliable operation of the bulk electric system shall 
be specified. At this stage of the standard, the process 
of identification of the critical cyber assets is left to 
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the responsible entity. In future, the process for 
identification might be codified as part of this standard. 


5.1.1 Critical Asset Identification 


The responsible entity shall develop a list of its 
identified critical assets determined through an annual 
application of the criteria. The responsible entity shall 
update this list as necessary, and review it at least once 
every year. 


5.1.2 Critical Cyber Asset Identification 


From the list of critical assets, the responsible entity 
shall develop a list of associated critical cyber assets 
essential to the operation of the critical asset. The 
responsible entity shall update this list as necessary, 
and review it at least once every year. 


For the purpose of this standard, critical cyber assets 
are further qualified to be those having at least one of 
the following characteristics : 


a) The cyber asset uses a routable protocol to 
communicate outside the electronic security 
perimeter. 

b) The cyber asset uses a routable protocol 
within a control centre. 


c) The cyber asset is dial-up accessible. 
5.1.3 Annual Approval 


The senior management shall approve annually the list 
of critical assets and the list of critical cyber assets. 
The responsible entity shall keep a signed and dated 
record of the senior management’s approval of the list 
of critical assets and the list of critical cyber assets 
(even if such lists are null). 


5.2 Security Management Controls 


Responsible entities shall have minimum security 
management controls in place to protect critical cyber 
assets. 


5.2.1 Leadership 


The responsible entity shall assign a single senior 
manager with overall responsibility and authority for 
leading and managing the entity’s implementation of, 
and adherence to, this standard : 


a) Senior manager shall be identified by name, 
title, and date of designation. 


b) Changes to the senior manager must be 
documented within thirty calendar days of the 
effective date. 


c) Senior manager may delegate authority for 
specific actions to a named delegate or 
delegates. These delegations shall be 
documented in the document, and approved 
by the senior manager. 


d) The senior management, shall authorize and 
document any exception from the 
requirements of the cyber security policy. 


5.2.2 Cyber Security Policy 


The responsible entity shall document and implement 
a cyber-security policy that represents management’s 
commitment and ability to secure its critical cyber 
assets. The responsible entity shall, at minimum, ensure 
the following : 


a) The cyber security policy addresses the 
requirements of this standard, including 
provision for emergency situations. 


b) The cyber security policy is readily available 
to all personnel who have access to, or are 
responsible for, critical cyber assets. 


c) The cyber security policy is reviewed and 
approved by the senior manager assigned 
every year. 


5.2.3 Exceptions 


Instances where the Responsible Entity cannot conform 
to its cyber security policy must be documented as 
exceptions and authorized by the senior management 
as follows. 


a) Exceptions to the responsible entity’s cyber 
security policy must be documented within 
thirty days of being approved by the senior 
management. 


b) Documented exceptions to the cyber security 
policy must include an explanation as to why 
the exception is necessary and any 
compensating measures. 


c) Authorized exceptions to the cyber security 
policy must be reviewed and approved 
annually by the senior management to ensure 
the exceptions are still required and valid. 
Such review and approval shall be 
documented. 


5.2.4 Information Protection 


The responsible entity shall implement and document 
a program to identify, classify, and protect information 
associated with critical cyber assets. 


a) The critical cyber asset information to be 
protected shall include, at a minimum and 
regardless of media type, operational 
procedures, lists as required in 4.1, network 
topology or similar diagrams, floor plans of 
computing centres that contain critical cyber 
assets, equipment layouts of critical cyber 
assets, disaster recovery plans, incident 
response plans, and security configuration 
information. 


b) The responsible entity shall classify 
information to be protected under this 
program based on the sensitivity of the critical 
cyber asset information. 


c) The responsible entity shall, at least once 
every year, assess adherence to its critical 
cyber asset information protection program, 
document the assessment results, and 
implement an action plan to remediate 
deficiencies identified during the assessment. 


5.2.5 Access Control 


The responsible entity shall document and implement 
a program for managing access to protected critical 
cyber asset information : 


a) Itshall maintain a list of designated personnel 
who are responsible for authorizing logical 
or physical access to protected information. 


b) Personnel shall be identified by name, title, 
and the information for which they are 
responsible for authorizing access. 


c) The list of personnel responsible for 
authorizing access to protected information 
shall be verified every year. 


d) Every year, the responsible entity shall review 
the access privileges to protected information 
to confirm that access privileges are correct 
and that they correspond with the responsible 
entity’s needs and appropriate personnel roles 
and responsibilities. 


e) Itshall assess and document at least annually 
the processes for controlling access privileges 
to protected information. 


5.2.6 Change Control and Configuration Management 


The responsible entity shall establish and document a 
process of change control and configuration 
management for adding, modifying, replacing, or 
removing critical cyber asset hardware or software, and 
implement supporting configuration management 
activities to identify, control and document all entity 
or vendor-related changes to hardware and software 
components of critical cyber assets pursuant to the 
change control process. 


5.3 Personnel and Training 


Personnel having authorized cyber or authorized 
unescorted physical access to critical cyber assets, 
including contractors and service vendors, shall have 
an appropriate level of personnel risk assessment, 
training, and security awareness. 


5.3.1 Awareness 


The responsible entity shall establish, document, 
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implement, and maintain a security awareness program 
to ensure personnel having authorized cyber or 
authorized unescorted physical access to critical cyber 
assets receive on-going reinforcement in sound security 
practices. The program shall include security awareness 
reinforcement on at least a quarterly basis using 
mechanisms such as: 


a) Direct communications (for example emails, 
memos, computer based training, etc); 


b) Indirect communications (for example 
posters, intranet, brochures, etc); 


c) Management support and reinforcement (for 
example presentations, meetings, etc); and 


d) The awareness program shall cover best 
practices adopted like strong password policy, 
hardening critical network, etc. 


5.3.2 Training 


The responsible entity shall establish, document, 
implement, and maintain cyber security training 
program every year for personnel having authorized 
cyber or authorized unescorted physical access to 
critical cyber assets. The cyber security training 
program shall be reviewed every year, at a minimum, 
and shall be updated, whenever necessary. 


a) This program shall ensure that all personnel 
having such access to critical cyber assets, 
including contractors and service vendors, are 
trained prior to their being granted such access 
except in specified circumstances such as an 
emergency. 


b) Training shall cover the policies, access 
controls, and procedures as developed for the 
critical cyber assets, and include, at a 
minimum, the following required items 
appropriate to personnel roles and 
responsibilities: 

1) Proper use of critical cyber assets, 


2) Physical and electronic access controls 
to critical cyber assets, 


3) Proper handling of critical cyber asset 
information, and 


4) Action plans and procedures to recover 
or re-establish critical cyber assets and 
access thereto following a cyber security 
incident. 


c) The responsible entity shall maintain 
documentation that training is conducted 
every year, including the date the training was 
completed and attendance records. 


5.3.3 Personnel Risk Assessment 


The responsible entity shall have a documented 


IS 16335 : 2015 


personnel risk assessment program, in accordance with 
central, state, municipal, local, and other applicable 
laws, for personnel having authorized cyber or 
authorized unescorted physical access to critical cyber 
assets. A personnel risk assessment shall be conducted 
pursuant to that program prior to such personnel being 
granted such access except in specified circumstances 
such as an emergency. 


The personnel risk assessment program shall at a 
minimum include, 


a) ensuring that each assessment conducted 
include, at least, identity verification and 
security verification. More detailed reviews, 
as permitted by law, may be conducted 
depending upon the criticality of the position. 


b) updating each personnel risk assessment at 
least every five years after the initial personnel 
risk assessment or for cause. 


c) documenting the results of personnel risk 
assessments of its personnel having 
authorized cyber or authorized unescorted 
physical access to critical cyber assets, and 
that personnel risk assessments of contractor 
and service vendor personnel with such access 
are conducted pursuant to this standard. 


5.3.4 Access 


The responsible entity shall maintain list(s) of 
personnel with authorized cyber or authorized 
unescorted physical access to critical cyber assets, 
including their specific electronic and physical access 
rights to critical cyber assets as follows: 


a) The responsible entity shall review the list(s) 
of its personnel who have such access to 
critical cyber assets quarterly, and update the 
list(s) within seven calendar days of any 
change of personnel with such access to 
critical cyber assets, or any change in the 
access rights of such personnel. The 
responsible entity shall ensure access list(s) 
for contractors and service vendors are 
properly maintained. 


b) The responsible entity shall revoke such 
access to critical cyber assets within 24 h for 
personnel terminated for cause and within 
seven calendar days for personnel who no 
longer require such access to critical cyber 
assets. 


5.4 Electronic Security Perimeter 


Identification and protection of the electronic security 
perimeter(s) inside which all critical cyber assets reside, 
as well as all access points on the perimeter shall be 
specified. Responsible entity should continue to follow 


existing and future standards for data and 
communications security such as IEC 62351 (Part 1 to 
Part 8). 


5.4.1 Electronic Security Perimeter 


The responsible entity shall ensure that every critical 
cyber asset resides within an electronic security 
perimeter. The responsible entity shall identify and 
document the electronic security perimeter(s) and all 
access points to the perimeter(s). 


a) Access points to the electronic security 
perimeter(s) shall include any externally 
connected communication end point (for 
example, dial-up modems) terminating at any 
device within the electronic security 
perimeter(s). The externally connected 
devices details and its usage shall be 
documented. 


b) For a dial-up accessible critical cyber asset 
that uses a non-routable protocol, the 
Responsible Entity shall define an electronic 
security perimeter for that single access point 
at the dial-up device. 


c) Communication links connecting discrete 
electronic security perimeters shall not be 
considered part of the electronic security 
perimeter. However, end points of these 
communication links within the electronic 
security perimeter(s) shall be considered 
access points to the electronic security 
perimeter(s). 

d) Any non-critical cyber asset within a defined 
electronic security perimeter shall be 
identified and protected pursuant to the 
requirements of this standard. 


e) Cyber assets used in the access control and/ 
or monitoring of the Electronic Security 
Perimeter(s) shall be afforded the protective 
measures as a specified in this standard. 


f) Maintain documentation of electronic security 
perimeter(s), all interconnected critical and 
non-critical cyber assets within the electronic 
security perimeter(s), all electronic access 
points to the electronic security perimeter(s) 
and the cyber assets deployed for the access 
control and monitoring of these access points. 


g) Ensure that all documentation required by this 
standard reflect current configurations and 
processes and shall review the documents and 
procedures referenced in this standard at least 
once a year. 

h) Update the documentation to reflect the 
modification of the network or controls within 
one month of the change. 


5.4.2 Electronic Access Controls 


The responsible entity shall implement and document 
the organizational processes and technical and 
procedural mechanisms for control of electronic access 
at all electronic access points to the electronic security 
perimeter(s). 


a) These processes and mechanisms shall use an 
access control model that denies access by 
default, such that explicit access permissions 
must be specified. 


b) At all access points to the electronic security 
perimeter(s), the responsible entity shall 
enable only ports and services required for 
operations and for monitoring cyber assets 
within the electronic security perimeter, and 
shall document, individually or by specified 
grouping, the configuration of those ports and 
services. 


c) Implement and maintain a procedure for 
securing dial-up access to the electronic 
security perimeter(s). 


d) Where external interactive access into the 
electronic security perimeter has been 
enabled, the responsible entity shall 
implement strong procedural or technical 
controls at the access points to ensure 
authenticity of the accessing party, where 
technically feasible. 


e) The required documentation shall, at least, 
identify and describe, 
1) the processes for access request and 
authorization. 


2) the authentication methods. 

3) the review process for authorization 
rights. 

4) the controls used to secure dial-up 
accessible connections. 


f) Where technically feasible, and in order to 
make personnel accessing the system aware 
of the criticality of the cyber asset, electronic 
access control devices shall display an 
appropriate use banner on the user screen 
upon all interactive access attempts. The 
responsible entity shall maintain a document 
identifying the content of the banner. 


5.4.3 Monitoring Electronic Access 


The responsible entity shall implement and document 
an electronic or manual process for monitoring and 
logging access at access points to the electronic security 
perimeter(s) twenty-four hours a day, seven days a 
week as follows: 


a) For dial-up accessible critical cyber assets that 
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use non-routable protocols, the responsible 
entity shall implement and document 
monitoring process at each access point to the 
dial-up device, where technically feasible. 


b) Where technically feasible, the security 
monitoring process shall detect and alert for 
attempts at or actual unauthorized accesses. 
These alerts shall provide for appropriate 
notification to designated response personnel. 
Where alerting is not technically feasible, the 
responsible entity shall review or otherwise 
assess access logs for attempts at or actual 
unauthorized accesses at least every month. 


c) Retain electronic access logs for at least one 
year. Logs related to reportable incidents shall 
be kept in accordance with the requirements 
of 4.7. 


5.4.4 Cyber Vulnerability Assessment 


The responsible entity shall perform a cyber- 
vulnerability assessment of the electronic access points 
to the Electronic Security Perimeter(s) at least once a 
year. The vulnerability assessment shall include, at a 
minimum, the following : 


a) A document identifying the vulnerability 
assessment process. 


b) A review to verify that only ports and services 
required for operations at these access points 
are enabled. 


c) Discovery of all access points to the electronic 
security perimeter. 


d) Review of controls for default accounts, 
passwords, and network management 
community strings. 


e) Documentation of the results of the 
assessment, the action plan to remediate or 
mitigate vulnerabilities identified in the 
assessment, and the execution status of that 
action plan. 


5.5 Physical Security of Critical Cyber Assets 


Implementation of a physical security program for the 
protection of critical cyber assets is required. 


5.5.1 Physical Security Plan 


The responsible entity shall document, implement, and 
maintain a physical security plan, approved by the 
senior management that shall address, at a minimum, 
the following: 


a) All cyber assets within an electronic security 
perimeter shall reside within an identified 
physical security perimeter. Where a 
completely enclosed (six-wall) border cannot 
be established, the responsible entity shall 
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deploy and document alternative measures to 
control physical access to such cyber assets. 


b) Identification of all physical access points 
through each physical security perimeter and 
measures to control entry at those access 
points. 


c) Processes, tools, and procedures to monitor 
physical access to the perimeter(s). 


d) Appropriate use of physical access controls 
including visitor pass management, response 
to loss, and prohibition of inappropriate use 
of physical access controls. 


e) Review of access authorization requests and 
revocation of access authorization. 


f) A visitor control program for visitors 
(personnel without authorized unescorted 
access to a Physical Security Perimeter), 
containing at a minimum the following: 


1) Logs (manual or automated) to document 
the entry and exit of visitors, including 
the date and time, to and from physical 
security perimeters. 


2) Continuous escorted access of visitors 
within the physical security perimeter. 


g) Update of the physical security plan within 
one month of the completion of any physical 
security system redesign or reconfiguration, 
including, but not limited to, addition or 
removal of access points through the Physical 
Security Perimeter, physical access controls, 
monitoring controls, or logging controls. 


h) Annual review of the physical security plan. 
5.5.2 Protection of Physical Access Control Systems 


Cyber Assets that authorize and/or log access to the 
physical security perimeter(s), exclusive of hardware 
at the physical security perimeter access point such as 
electronic lock control mechanisms and badge readers, 
shall be: 


a) Protected from unauthorized physical access. 


b) Afforded the protective measures specified in 
this standard. 


5.5.3 Protection of Electronic Access Control Systems 


Cyber assets used in the access control and/or 
monitoring of the electronic security perimeter(s) shall 
reside within an identified physical security perimeter. 


5.5.4 Physical Access Controls 


The Responsible Entity shall document and implement 
the operational and procedural controls to manage 
physical access at all access points to the physical 
security perimeter(s) twenty-four hours a day, seven 
days a week. The responsible entity shall implement 


one or more of the following physical access methods: 


a) Card key— A means of electronic access where 
the access rights of the card holder are 
predefined in a computer database. Access 
rights may differ from one perimeter to another. 


b) Special locks — These include, but are not 
limited to, locks with restricted key systems, 
magnetic locks that can be operated remotely, 
and man-trap systems. 


c) Security personnel — Personnel responsible 
for controlling physical access who may 
reside on-site or at a monitoring station. 


d) Other authentication devices — Biometric, 
keypad, token, or other equivalent devices that 
control physical access to the critical cyber 
assets. 


5.5.5 Monitoring Physical Access 


The responsible entity shall document and implement 
the technical and procedural controls for monitoring 
physical access at all access points to the physical 
security perimeter(s) twenty-four hours a day, seven 
days a week. Unauthorized access attempts shall be 
reviewed immediately and handled in accordance with 
the procedures specified in 4.7. One or more of the 
following monitoring methods shall be used: 


a) Alarm systems — A system that alarm to 
indicate a door, gate or window has been 
opened without authorization. These alarms 
must provide for immediate notification to 
personnel responsible for response. 


b) Human observation of access points — The 
monitoring of physical access points by 
authorized personnel. 


5.5.6 Logging Physical Access 


Logging shall record sufficient information to uniquely 
identify individuals and the time of access twenty-four 
hours a day, seven days a week. The responsible entity 
shall retain physical access logs for at least one year. 
Logs related to reportable incidents shall be kept in 
accordance with the requirements given in 4.7. 


The responsible entity shall implement and document 
the technical and procedural mechanisms for logging 
physical entry at all access points to the physical 
security perimeter(s) using one or more of the 
following logging methods or their equivalent: 


a) Computerized logging — Electronic logs 
produced by the Responsible Entity’s selected 
access control and monitoring method. 

b) Video recording — Electronic capture of video 
images of sufficient quality to determine 
identity. 


c) Manual logging — A log book or sign-in 
sheet, or other record of physical access 
maintained by security or other personnel 
authorized to control and monitor physical 
access. 


5.5.7 Maintenance and Testing 


The responsible entity shall implement appropriate 
maintenance and testing program to ensure that all 
physical security systems function properly. The 
program must include, at a minimum, the 
following: 


a) Testing and maintenance of all physical 
security mechanisms on a cycle no longer than 
three years. 


b) Retention of testing and maintenance records 
for the cycle determined by the responsible 
entity. 

c) Retention of outage records regarding access 
controls, logging, and monitoring for a 
minimum of one calendar year. 


5.6 Systems Security Management 


Responsible entities shall define methods, processes, 
and procedures for securing those systems determined 
to be critical cyber assets, as well as the other (non- 
critical) cyber assets within the electronic security 
perimeter(s). 


The responsible entity shall review and update the 
documentation at least once a year. Changes resulting 
from modifications to the systems or controls shall be 
documented within one month of the change being 
completed. 


5.6.1 Test Procedures 


The responsible entity shall ensure that new cyber 
assets and significant changes to existing cyber assets 
within the electronic security perimeter do not 
adversely affect existing cyber security controls. For 
the purpose of this standard, a significant change shall, 
at a minimum, include implementation of security 
patches, cumulative service packs, vendor releases, and 
version upgrades of operating systems, applications, 
database platforms, or other third-party software or 
firmware and: 


a) Create, implement, and maintain cyber 
security test procedures in a manner that 
minimizes adverse effects on the production 
system or its operation. 


b) Document that testing is performed in a 
manner that reflects the production 
environment. 


c) Document test results. 
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5.6.2 Ports and Services 


The responsible entity shall establish, document and 
implement a process to ensure that only those ports 
and services required for normal and emergency 
operations are enabled as follows: 


a) Enable only those ports and services required 
for normal and emergency operations. 


b) Disable other ports and services, including 
those used for testing purposes, prior to 
production use of all cyber assets inside the 
electronic security perimeter(s). 


c) In the case where unused ports and services 
cannot be disabled due to technical 
limitations, the responsible entity shall 
document compensating measure(s) applied 
to mitigate risk exposure. 


5.6.3 Security Patch Management 


The responsible entity shall establish, document, and 
implement a security patch management program for 
tracking, evaluating, testing, and installing applicable 
cyber security software patches for all cyber assets 
within the electronic security perimeter(s) as follows: 


a) Document the assessment of security patches 
and security upgrades for applicability within 
thirty calendar days of availability of the 
patches or upgrades. 


b) Document the implementation of security 
patches. In any case where the patch is not 
installed, the Responsible Entity shall 
document compensating measure(s) applied 
to mitigate risk exposure. 


5.6.4 Malicious Software Prevention 


The responsible entity shall use anti-virus software and 
other malicious software (“malware”) prevention tools, 
where technically feasible, to detect, prevent, deter, and 
mitigate the introduction, exposure, and propagation 
of malware on all cyber assets within the electronic 
security perimeter(s). 


a) Document and implement anti-virus and 
malware prevention tools. In the case where 
anti-virus software and malware prevention 
tools are not installed, the responsible entity 
shall document compensating measure(s) 
applied to mitigate risk exposure. 


b) Document and implement a process for the 
update of anti-virus and malware prevention 
signatures. The process must address testing 
and installing the signatures. 


5.6.5 Account Management 


The responsible entity shall establish, implement, and 
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document technical and procedural controls that 
enforce access authentication of, and accountability 
for, all user activity, and that minimize the risk of 
unauthorized system access. 


a) Ensure the following that individual and 
shared system accounts and authorized access 
permissions are consistent with the concept 
of need to know with respect to work 
functions performed: 

1) Ensure that user accounts are implemented 
as approved by designated personnel. 

2) Establish methods, processes, and 

procedures that generate logs of sufficient 

detail to create historical audit trails of 
individual user account access activity for 

a minimum of three months. 

3) Review, at least once a year, user accounts 

to verify access privileges are in accordance 

with this standard. 

b) Implement following policies to minimize and 

manage the scope and acceptable use of 

administrator, shared, and other generic 
account privileges including factory default 


accounts: 


1) The policy shall include the removal, 
disabling, or renaming of such accounts 
where possible. For such accounts that 
must remain enabled, passwords shall be 


changed prior to putting any system into 


service. 
2) The responsible entity shall identify those 
individuals with access to shared accounts. 
3) Where such accounts must be shared, the 


responsible entity shall have a policy for 
managing the use of such accounts that 
limits access to only those with 
authorization, an audit trail of the account 
use (automated or manual), and steps for 
securing the account in the event of 
personnel changes (for example, change 
in assignment or termination). 
c) Ataminimum, require and use passwords and 
implement, as technically feasible, policies for 
making the password hard to crack (such as 
periodic password changes, requiring 
combination of alphanumeric and special 
projects). 


5.6.6 Security Status Monitoring 


The responsible entity shall ensure that all cyber assets 
within the electronic security perimeter, as technically 
feasible, implement automated tools or organizational 
process controls to monitor system events that are 
related to cyber security as follows : 
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Implement and document the organizational 
processes and technical and procedural 
mechanisms for monitoring for security 
events on all cyber assets within the electronic 
security perimeter. 

b) The security monitoring controls shall issue 
automated or manual alerts for detected Cyber 
Security Incidents. 

c) Maintain logs of system events related to 
cyber security, where technically feasible, to 
support incident response as required in 4.7. 
d) Retain all logs for minimum one year. 
Review logs of system events related to cyber 
security and maintain records documenting 


review of logs. 
5.6.7 Disposal or Redeployment 


The responsible entity shall establish and implement 
formal methods, processes, and procedures for disposal 
or redeployment of identified cyber assets within the 
electronic security perimeter(s) and: 


a) Prior to the disposal or redeployment of such 
assets: 

1) Destroy or erase the data storage media 
to prevent unauthorized retrieval of 
sensitive cyber security or reliability 
data. 

2) Ata minimum, erase the data storage 
media to prevent unauthorized retrieval 
of sensitive cyber security or reliability 
data. 

b) Maintain records that such assets were 
disposed of or redeployed in accordance with 


documented procedures. 
5.6.8 Cyber Vulnerability Assessment 


The responsible entity shall perform a cyber- 
vulnerability assessment of all cyber assets within the 
electronic security perimeter at least every year. The 
vulnerability assessment shall include, at a minimum, 
the following: 


a) Document identifying the vulnerability 
assessment process, 

b) Review to verify that only ports and services 
required for operation of the cyber assets 
within the electronic security perimeter are 
enabled, 

c) Review of controls for default accounts, and 

d) Documentation of the results of the 


assessment, the action plan to remediate or 
mitigate vulnerabilities identified in the 
assessment, and the execution status of that 
action plan. 


5.7 Incident Reporting and Response Planning 


It is required to ensure the identification, classification, 
response, and reporting of cyber security incidents 
related to critical cyber assets. 


5.7.1 Cyber Security Incident Response Team 


A security incident is an event which results (or may 
result) in misuse, damage, denial of service, 
compromise of integrity, or loss of confidentiality of a 
network, computer, application, or data; and threats, 
misrepresentations of identity, or harassment of or by 
individuals using these resources. 


The responsible entity shall create a security incident 
response team. The members of this team can either 
be full-time or can have this responsibility as an 
additional responsibility along with their current role. 
At least one member of the incident response team shall 
be reachable at all times. 


All security incidents reported to the team should be 
recorded. 


5.7.2 Cyber Security Incident Response Plan 


The responsible entity shall develop and maintain a 
cyber security incident response plan and implement 
the plan in response to cyber security incidents. The 
cyber security Incident response plan shall address, at 
a minimum, the following : 


a) 


Procedures to characterize and classify events 
as reportable cyber security incidents. 

b) Response actions, including roles and 
responsibilities of cyber security incident 
response teams, cyber security incident 
handling procedures, and communication 
plans. 

c) The Responsible Entity must ensure that all 
reportable cyber security incidents are 
reported to the appropriate local and central 
authorities. 

d) Process for updating the cyber security 
incident response plan within one month of 
any changes. 

e) Process for ensuring that the cyber security 
incident response plan is reviewed at least 


once a year. 


Process for ensuring the cyber security 
incident response plan is tested at least once 
a year. A test of the cyber security incident 
response plan can range from a paper drill, to 
a full operational exercise, to the response to 
an actual incident. 


5.7.3 Cyber Security Incident Documentation 


The Responsible Entity shall keep relevant 
documentation related to all reportable cyber security 
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incidents for a minimum period of five years. Incidents 
are to be reviewed at least once in three months. 


5.8 RECOVERY PLANS FOR CRITICAL 
CYBER ASSETS 


It is required to ensure that recovery plan(s) are put in 
place for critical cyber assets and that these plans follow 
established business continuity and disaster recovery 
techniques and practices. 


5.8.1 Recovery Plans 


The responsible entity shall create and conduct areview 
of recovery plan(s) for critical cyber assets at least once 
a year. The recovery plan(s) shall address at a minimum 
the following: 


a) Specify the required actions in response to events 
or conditions of varying duration and severity 
that would activate the recovery plan(s). 

b) Define the roles and responsibilities of 

responders. 


5.8.2 Exercises 


The recovery plan(s) shall be exercised at least once a 
year. An exercise of the recovery plan(s) can range from 
a paper drill, to a full operational exercise, to recovery 
from an actual incident. 


5.8.3 Change Control 


Recovery plan(s) shall be updated to reflect any 
changes or lessons learned as a result of an exercise or 
the recovery from an actual incident. Updates shall be 
communicated to personnel responsible for the 
activation and implementation of the recovery plan(s) 
within one month of the change being completed. 


5.8.4 Backup and Restore 


The recovery plan(s) shall include processes and 
procedures for the backup and storage of information 
required to successfully restore critical cyber assets. 
For example, backups may include spare electronic 
components or equipment, written documentation of 
configuration settings, tape backup, etc. Information 
essential to recovery that is stored on backup media 
shall be tested at least once a year to ensure that the 
information is available. Testing can be completed off 
site. 


6 COMPLIANCE 


6.1 Compliance Enforcement Authority 


The designated authority as determined by appropriate 
body will act as a compliance enforcement authority. 


6.2 Auditing Requirements 


The responsible entity can perform audits as mandated 
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by this standard and keep the necessary records as 
per 5.3. In addition, compliance enforcement authority 
should certify select agencies for compliance auditing. 
The responsible entity can utilize the services of these 
certified agencies for performing internal audits. 


The enforcement authority should audit the documents 
and records on at least bi-annual basis to ensure that 
the responsible entities are in compliance with this 
standard. This audit should include on-site random 
checks to ensure compliance. 


6.3 Records and Documents 


The responsible entity shall keep all documentation 
required as part of this standard for a minimum period 
of 3 years. Documentation and data shall be retained 
for a longer time, if required as part of any 
investigation. 


The list of records and documents that responsible 
entity shall maintain as per the various requirements 
in 5 are as given below. In case there is a difference of 
interpretation between this section and the 
corresponding section 5, requirements given in 5 shall 
prevail: 


1) List of critical assets as per along with the 
criteria for identification (see 5.1.1). 


2) List of critical cyber assets (see 5.1.2). 
3) Approval record (see 5.1.3). 


4) Assignment of senior manager and changes 
thereof, if any (see 5.2.1). 


5) Approved cyber security policy (see 5.2.2). 
6) Approved exception list (see 5.2.3). 
7) Documented information protection program 


(see 5.2.4). 

8) Documented access control program (see 
5.2.5). 

9) Change control and configuration 


management documentation (see 5.2.6). 


10) Documentation of security awareness and 
reinforcement program (see 5.3.1). 


11) Cyber security training program, review 
records, and training records (see 5.3.2). 

12) Personnel risk assessment program and 
records (see 5.3.3). 

13) List of personnel with access rights and 
associated review and revocation records, if 
any (see 5.3.4). 


14) Electronic security perimeter, list of all cyber 
assets within the perimeter, and the cyber 
assets deployed for access control (see 5.4.1). 


15) Documentation of the electronic access 
controls to the electronic security perimeter(s) 
(see 5.4.2). 
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16) Documented monitoring and logging at access 
points to the electronic security perimeter(s) 
(see 5.4.2). 

17) Vulnerability assessment documentation and 
associated mitigation, if any (see 5.4.4). 

18) Documented physical security perimeter, 
approved physical security plan and associated 
implementation records (see 5.3.5.1). 


19) Documented protection of physical 
perimeter(s) (see 5.5.2). 

20) Documentation certifying that electronic 
access controls for protection of electronic 
security perimeter are within physical security 
perimeter (see 5.5.3). 

21) Methods for controlling physical access to 
each access point of a physical security 
perimeter (see 5.5.4). 


22) Methods for monitoring physical access (see 
5.5.5). 

23) Methods for logging physical access and 
access logs for access to physical security 
perimeter(s) (see 5.5.6). 

24) Implementation of physical security system 
maintenance and testing program (5.5.7). 


25) Documentation of security test procedures 
(see 5.6.1). 

26) Documentation to confirm only essential ports 
and services are open, and documented 
exceptions and mitigation (see 5.6.2). 

27) Documentation and records of security patch 
management program (see 5.6.3). 


28) Documentation and records of malicious 
software prevention program (see 5.6.4). 

29) Documentation and records of account 
management program (see 5.6.5). 

30) Documentation and records of security status 
monitoring program (see 5.6.6). 


31) Documentation and records of program for 
the disposal or redeployment of Cyber Assets 
(see 5.6.7). 

32) Documentation and records of yearly 
vulnerability assessment of all Cyber Assets 
within the Electronic Security Perimeters(s) 
(see 5.6.8). 

33) Composition of the Security Incident 
Response Team and list of incidents reported 
to the Team (see 5.7.1). 


34) Approved Cyber Security Incident Response 
plan, its review and all follow-up of incidents 
as required by law (see 5.7.2). 

35) Documentation of all reportable cyber 
security incidents (see 5.7.3). 

36) Approved recovery plan (see 5.8.1). 


37) Documentation of exercise of recovery 
plan(s) (see 5.8.2). 

38) Documentation of changes to the recovery 
plan(s), and documentation of all associated 
communications (see 5.8.3). 


39) Documentation regarding information 
backup, periodic testing of the backup, and 
storage of the backup (see 5.8.4). 


6.4 Testing and Conformance 


The devices and systems deployed in field and control 
centre shall be trustworthy for its security requirements 
apart from security management systems processes 
adopted by the end users. 


The objective of this clause is to describe the tests and 
conformance assessments to ensure the devices and 
systems will be secure as per the relevant product 
standards or user’s technical specifications. Test 
requirements shall cover all the aspects of security 
specifications both functional and design requirements. 
Tests shall be conducted by user and supplier at various 
stages and wherever essential from a third party agency 
or accredited laboratory. Test results and all deviations 
from the test plans shall be required to be documented. 


6.4.1 Life Cycles of Security Tests 


The testing process requires that various process 
functions of the devices, and equipment, and systems 
be tested or verified during the one or more stages in 
the production and installation cycle of the system. The 
testing process is classified into three groups based on 
the security lifecycles of automation controls systems 
as detailed in the following clauses. 


6.4.1.1 Devices and systems 


This includes testing for the security compliance as 
per the respective product standards under laboratory 
conditions. This process is grouped in to three levels 
namely functional security assessment, software 
development security assessment and the 
communication robustness testing. The communication 
robustness testing shall cover basic port testing and 
protocol specific testing. These tests shall be part of 
product certified design tests, factory test before the 
customer approval for shipment and field test during 
the installation and commissioning stage. 


6.4.1.2 Supplier practices 


This is part of certified design test and these tests are 
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performed by the supplier on specimens of generic type 
of production model equipment to establish the security 
conformance with its design standard. 


Developmental security testing occurs at all post design 
phases of the system development life cycle. 
Information systems include information technology 
products (that is Hardware, software, and firmware 
components) that compose those systems. Information 
system developer is a general term that includes 
developers or manufacturers of information technology 
products (including hardware, software, and firmware), 
systems integrators, vendors, and product resellers. 
Developer testing confirms that: the required security 
controls are implemented correctly and operating as 
intended; and the information system meets the 
established security requirements. Security test and 
evaluation plans provide the specific activities that 
developers plan to carry out including the types of 
analysis, testing, and reviews of software and firmware 
components, the degree of rigour to be applied in the 
analysis, tests, and reviews, and the types of artefacts 
produced during those processes. Contracts specify the 
acceptance criteria for security test and evaluation 
plans, flaw remediation processes, and evidence that 
plans and processes have been diligently applied. This 
control also applies to organizations conducting 
internal systems development and integration. 


6.4.1.3 Integrated system deployment 


This stage involves during the commissioning, site 
acceptance test and the periodically testing for the 
implemented architecture. This includes not only 
making sure the deployment blocks attack, but also 
ensuring that the operation of the process is not 
negatively affected by the security deployment. The 
final stage is to manage the system on an on-going 
basis. Typical control networks will have multiple 
communication paths over many locations in the 
system. Ideally, the multiple systems security 
appliances should be managed from a single 
management console application. 


As part of continuous life cycle management of the 
system, the organization employs an independent 
penetration agent or penetration team to conduct a 
vulnerability analysis on the information system; and 
perform penetration testing on the information system 
based on the vulnerability analysis to determine the 
exploitability of identified vulnerabilities. 
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ANNEX A 


(Clause 2) 


BIBLIOGRAPHIC REFERENCES 


A-1 North American Electric Reliability Council 
(NERC) Critical Infrastructure Protection Standard: 


CIP 002 Cyber security — Critical cyber asset 
identification 


CIP 003 Cyber security — Security management 
controls 


CIP 004 Cyber security — Personnel and training 
CIP 005 Cyber security — Electronic security 


perimeter(s) 

CIP 006 Cyber security — Physical security of 
critical cyber assets 

CIP 007 Cyber security — Systems security 
management 

CIP 008 Cyber security — Incident reporting and 
response planning 

CIP 009 Cyber security — Recovery plans for 
critical cyber asset 


ANNEX B 


(Clause 2) 


LIST OF REFERRED INTERNATIONAL STANDARDS 


International Standards/ Title 


Publications 

TEC 62351 Power systems management and associated information exchange — Data and 
communications security 

Part 1:2007 Communication network and system security — Introduction to security issues 

Part 2:2008 Glossary of terms 

Part 3:2014 Communication network and system security — Profiles including TCP/IP 

Part 4:2007 Profiles including MMS 

Part 5:2013 Security for IEC 60870-5 and derivatives 

Part 6:2007 Security for IEC 61850 

Part 7:2010 Network and system management (NSM) data object models 

Part 8:2011 Role based access control 

IEC 60870-5:2013 Telecontrol, teleportation, and associated telecommunications for electric power 
systems 

IEC 60870-6:1995 Inter-control centre communications protocol 


ISO/IEC 27001: 2005 Information security standard 
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